Fraud Network Analysis | Angelo Vasquez

Network Overview

Total Entities

Connections

Flagged Nodes

Fraud Rings

Interactive Entity Graph

ENTITY_RELATIONSHIP_MAP // CLICK NODES TO INVESTIGATE

Objective

Financial fraud rarely occurs in isolation. Individual records — a name, an email address, a device ID — often appear clean when examined independently. The pattern only becomes visible when you map the relationships between entities across multiple data sources simultaneously.

This analysis models a synthetic fraud network to demonstrate graph-based investigative methodology: the same approach used in physical security intelligence operations to detect shared identities, coordinated account abuse, and bust-out fraud schemes before financial damage escalates.

      Core question: Given a set of accounts, devices, emails, and persons — which relationships indicate coordinated fraud, and which investigative leads should be prioritized first?
    

Key Findings

Shared Device Across Three Distinct Identities HIGH RISK

Device A9F2 (iPhone 13, unique IMEI) was registered across the profiles of Marcus Webb, Sandra Osei, and James Frio — three supposedly independent applicants. A single device appearing across multiple identities is a primary indicator of synthetic identity fraud or account takeover. This device constitutes the central node connecting what initially appeared to be unrelated subjects.

Bust-Out Transaction Loop: Webb → Acct #8812 → Holt HIGH RISK

Account #8812, opened under Marcus Webb, received a $4,200 cash advance within 6 hours of account opening. The full balance was transferred to an external account linked to Renee Holt within 24 hours. This pattern — rapid advance followed by immediate transfer — repeated across three billing cycles and is consistent with bust-out fraud coordination between connected actors.

Duplicate Application Pattern: 94% Data Match HIGH RISK

Account #3341 (Sandra Osei) was submitted with application data 94% identical to Account #8812 (Marcus Webb) — differentiated only by a single SSN suffix digit. Address, phone, employer, and income figures were identical. This indicates either the same actor submitting under multiple identities, or a coordinated ring using templated application data.

Anonymized Email Infrastructure MEDIUM RISK

Renee Holt's primary contact email (renee.h99@proton.me) uses ProtonMail — an end-to-end encrypted provider frequently preferred by actors seeking to obscure identity. A domain-cluster analysis revealed that the mwebb_fin@gmx.co address (Marcus Webb) matches naming patterns associated with a previously documented fraud cluster operating across multiple financial institutions.

IP Address Overlap Between Flagged Devices MEDIUM RISK

Device A9F2 and Device C44B (Renee Holt) shared the same external IP address across two separate sessions — suggesting both devices were operating from the same physical location or network at the time of account activity, further linking Holt and the Webb/Osei network despite no direct account relationship on record.

Methodology

Graph-based fraud analysis models the problem as a network rather than a set of rows. Each entity — person, device, email address, account — becomes a node. Every verifiable relationship becomes an edge.

The investigative value emerges from traversal: following paths between nodes reveals connections that would be invisible in any single table or query. A person sharing a device with three others, who share an IP with a fourth, who transferred funds to a fifth — this chain only surfaces through graph traversal.

STEP 01

Entity Extraction

Pull raw records across persons, devices, emails, and accounts. Normalize identifiers for cross-matching.

STEP 02

Relationship Mapping

Build edges: who owns which account, which device logged into which session, which emails overlap.

STEP 03

Pattern Detection

Identify shared-node clusters, transaction loops, and application similarity scores using graph queries.

STEP 04

Lead Prioritization

Score nodes by connection count, flag density, and behavioral anomalies. Surface the highest-confidence leads first.

Tools & Techniques

Neo4j

Graph database for entity relationship modeling and Cypher query traversal

Cypher Query

Pattern-matching queries to surface shared nodes across degree-2 and degree-3 paths

Link Analysis

Identifying non-obvious connections between entities across multiple data dimensions

OSINT Methods

Open-source validation of email domains, device identifiers, and address clusters

Anomaly Scoring

Risk-weighting nodes based on connection density, behavioral flags, and known patterns

Visualization

Interactive graph rendering to communicate leads clearly to investigative and leadership teams

JSOC Relevance

The analytical methodology demonstrated here translates directly to physical security intelligence operations. The JSOC coordinates across fraud investigations, physical access control, and threat intelligence — all domains where entity relationships are the primary investigative surface.

FRAUD OPERATIONS

Identifying coordinated account abuse, shared device clusters, and transaction loops that indicate organized fraud rings — supporting JSOC fraud intelligence and investigative lead generation.

PHYSICAL ACCESS CONTROL

The same graph model applies to access log analysis — mapping which badge IDs, door events, and personnel appear in anomalous proximity to security incidents or sensitive locations.

INSIDER RISK

Connecting access patterns, system activity, and personnel relationships to surface behavioral anomalies that may indicate insider threat before escalation occurs.

THREAT BRIEFINGS

Producing clear, visual intelligence products from complex multi-source data — enabling security leadership to make fast, informed decisions with high situational awareness.

Fraud Network Graph Analysis